New Security Problems and a Warning About Checking User Input

01/30/2001

Welcome to the Security Alerts column, an overview of new Unix and open source security-related advisories and news. Problems this week include buffer overflows in splitvt, bing, write, and Lotus Domino's SMTP server; temporary file problems with webmin and Apache's mod_rewrite; format string problems with icecast; ip firewalling problems with FreeBSD; and SQL problems in Postaci.

The splitvt program splits a vt100 compatible terminal or screen into an upper and lower window that can each execute a different program. Versions before 1.6.5 have a format string vulnerability and several buffer overflows. Since splitvt is installed suid root on many systems, this vulnerabilty can be exploited to obtain root privileges.

It is recommended that you upgrade to version 1.6.5 or newer. If you are not using splitvt or do not wish to upgrade, then the suid and sgid bits should be removed from the application.

A throughput measurement tool, bing has a buffer overflow that can lead (on systems with it installed suid root) to a root exploit. The buffer overflow is in the code that handles the host name that it uses. The overflow requires that the attacker be able to create an arbitrary resolvable host name that they can pass to the application.

A web-based administrative interface for Unix machines, webmin creates temporary files insecurely. This problem can be used to overwrite and create arbitrary files and can lead to a root compromise. Versions prior to 0.84 are affected.

The icecast audio stream server has a format string vulnerability that can be used to execute arbitrary commands. Since icecast normally runs as the root user, this can lead to a remote root compromise.

A patch has been published and incorporated in several distributions. I was not able to find out if the fix has been made to the version that can be downloaded from the icecast.org web site. I recommend that you check with your vendor for an updated version.

The Oracle XSQL Servlet has a problem that can be used to execute arbitrary Java code on an Oracle database server. Versions affected include the 8.1.7.0.0 database server, Oracle8i release 8.1.7.0.0 and the Enterprise Edition running Oracle Internet Application server with XSQL release 1.0.0.0, and XSQL releases 1.0.1.0 to 1.0.3.0 on all platforms.

If you are using any of these products you should download release 1.0.4.0 of XSQL. Oracle will also be correcting this problem when they release Oracle8i, release 8.1.7.1.

The write command allows you to send lines of text to other users of a system. The write command under Solaris 7 has a buffer overflow in the handling of its second command line argument. By exploiting this vulnerability, an attacker can execute arbitrary code with the permissions of the group tty.

It is recommended that the set group id bit be removed from write until a patch has been released by Sun. This problem has been fixed in Solaris 8.

The stand-alone shell, sash, is a statically linked shell that contains many built-in utilities. These include chmod, chown, grep, file, ls, tar, mount, and many more. It can be used to replace shared libraries safely or used in emergencies. Versions prior to 3.4-4 did not clone the shadow file properly. This could lead to this file becoming exposed.

It is recommended that users upgrade to 3.4-4 or newer as soon as possible.

The FreeBSD tools ipfw and ip6fw provide packet-filtering redirecting and accounting functions. A TCP/IP packet crafted so that the ECE flag is set can incorrectly be passed through by the packet filters if a rule exists to allow established connections. An example of such a rule would be "allow tcp from any to any established." How vulnerable this will make a system or network will vary according to the exact rules in place.

You can work around this problem by rewriting any rule that contains the established keyword. It is however recommended that you upgrade to FreeBSD 3.5-STABLE or 4.2-STABLE after the correction date (01-12-01), or apply the ipfw and ip6fw patches.

Postaci, a popular web mail package, does not properly check for malicious SQL code in variables coming from the user when using the PostgreSQL database. This can allow a user to execute arbitrary SQL queries.

At this time a patch to fix this problem has not been released.

This sort of problem is easy for a programmer to fall into. It occurs when the programmer fails to check all possible user-supplied input. With PHP, this can be any variable that you use in your forms and scripts. Remember that the user is in control of his client and can send you whatever data they choose. You need to check or initialize every variable before you use it or send it to your SQL database as part of a query. Numbers should be numbers and not SQL statements, and so on.

An interesting exercise is to trade places with the attacker. Put yourself in their shoes and see what unexpected things you can make your system or software do when you put your mind into it. You may be surprised with what you find out, and that is much better than being surprised by a system cracker.